Having decided to go forward using diagrams.net (formerly draw.io) as our online drawing platform (Read more about that here) for all new Azure Architecture and Concept diagrams. However, now our PowerPoint (PPT) slide decks of over 70 diagrams of Azure Architecture and Concepts have to be converted into the diagrams.net format. Can all of these PPT diagrams/slides be converted, or does each diagram have to be completely re-drawn?

The fast way to move everything from PPT would be to turn each PPT slide into an SVG image to be imported into diagrams.net and then saved to a new online repository, for export as needed. However, an SVG image of a PPT slide is a ‘solid’ image – the individual elements – icons, shapes, texts etc. are not able to be changed. We want fully customizable images that can be used and shared with others via Google Drive sharing features, or exported as a PDF, PNG or SVG to drop into a document or slide presentation.

There IS a conversion process of steps to be able to do this without having to completely redraw every diagram or concept from scratch. Diagrams.net will import Visio .vsdx files and the drawing elements will all be available to change as needed. At this point, its not an instant conversion, but a process of steps. To me, this is still better than starting all over with each diagram. I end up with a framework to add icons and text back into – but sizing & placement is already done!

Over the past few months we’ve reviewed 5 different online drawing platforms to determine which one would be best for us to begin using. Read more about all that here. Currently, we’ve been using locally installed PowerPoint as an alternative to Visio, to build up our repository of Azure Architecture and Concept diagrams for use with clients and for teaching presentations. Access those PPT drawings here.

CloudSkew is a new free online Cloud architecture drawing platform, that is still in pre-lease status:

The current and planned Features List outlines what to expect in features. Diagrams are auto-saved in CloudSkew cloud storage. Its all a good start. This will be the only online platform that focuses just on being a drawing platform for Cloud Architecture and Concepts.

I created a simple Azure concept diagram and discovered a number of ‘still to be added’ needs before I could draw a more complex Azure architecture diagram, such as Tim Warner’s IaaS class diagram. (see 2nd drawing below)

The first thing I do when starting an Azure architectural or concept drawing is to gather the most current Azure icons I’ll need for the project. This is a list of resources of Azure Icon Sets and Visio stencils to download. If you’re using an online draw program, you can search within these resources for any missing icons/symbols you need.

This is a free download from Microsoft which includes icons (SVG format only) icons for almost all Azure services and Microsoft cloud related technologies

Microsoft no longer includes Visio stencils (since these are only in the subscription versions of Visio now) in the Azure Icon Set, so the Visio Stencils provided in resources #3-6 below are invaluable now!

Cacoo.com offers another online drawing platform that promotes itself as ready for collaborative use for creating Azure architectural drawings. As in the other online drawing programs that we’ve been reviewing, Tim Warner’s Azure IaaS drawing was used as the vehicle to test the ease of use, the pre-loaded current Azure Icon Set and other features noted here.

This is Tim Warner’s Visio drawing done in Cacoo online. Replicating a detailed drawing like this helps to discover the platform’s functionality, ease of use, as well as the other review details outlined here.

While it is straight forward to install the entire Office 2019 Suite using a downloaded ISO file to a PC desktop, this is how to install only select programs of the Office 2019 Suite.

Office 2019, like Office 2016, is a Click-To-Run installation process, with no customization allowed on a basic install. All of the programs in the Office 2019 Suite are installed – including Publisher, Access, Skype for Business etc. Once the installation is complete, the extra unnecessary programs cannot be uninstalled, since the option is no longer available in the Control Panel using the ‘Change’ option. Change is not active – it reverts to only giving the Repair options now.

This is Tim Warner’s Visio drawing re-done in VP Online. Replicating a detailed drawing like this helps to discover the platform’s functionality, ease of use, as well as some of the other review details outlined here.

This is Tim Warner’s Visio drawing done in LucidChart. Replicating a detailed drawing like this helps to discover the platform’s functionality, ease of use, as well as the other review details outlined here.

Up to this point, we have been using locally installed PowerPoint successfully and efficiently to create all of the Azure concept and architectural diagrams used with clients (Read more about this here). There are a number of online drawing programs available now to create these and other technical drawings. There is no software to install; the diagrams are stored online (Although local copies of documents can also be saved).

This is Tim Warner’s Visio drawing done in draw.io… Replicating a detailed drawing like this helps to discover the platform’s functionality, ease of use, as well as the other review details outlined here.

We use Cloudockit for generating Azure Subscription Account documentation for our enterprise clients. For Azure architectural drawings we have been using PowerPoint, for a number of reasons.

PowerPoint (PPT) was originally chosen as an easy, effective drawing platform alternative to Visio (Read more about that here) for creating Azure architectural diagrams or concepts for clients or training presentations. Drawing diagrams with PPT is very simple, with a flat learning curve! Once a library of PPT is created, it is relatively easy to use any diagram as a template to be customized for the next client. Slides can easily be used as a separate drawing, or customized and added into a custom presentation, exported into Word or as a PDF. Collaboration is possible by saving a PPT slide or slide deck to a cloud location. However, there are some cons to using PowerPoint for drawing – a PowerPoint repository of commonly used Azure Icons must be built and maintained. Automatic versioning is not available. Connector styles are limited and its not possible to turn off the ‘snap-to-grid’ function making connecting easier in some cases.

There are a number of online drawing programs that will make drawing Azure architectural and concept diagrams even more efficient – and no software need be installed locally, although some of the programs do offer a desktop version for working off-line.

While creating Azure architectural and concepts drawings, my first step is to gather the most current Azure Icons that I will be using in the diagram(s).

I prefer using SVG format icons/symbols for drawings, because their image quality is maintained no matter how they’re resized or moved. The problem is, having extracted a downloaded a zip file of the latest Azure icons/symbol set, the SVG format of all the icons cannot be previewed as thumbnails in Windows File Explorer. You can only see the name, as in the screen-shot below – I need to be able to see preview/overview thumbnails of all the SVG files – as I can for .PNG files! A thumbnail viewer will save a lot of time choosing the correct set of SVG icons needed for a drawing!

NGINX Management with NGINX Controller

NGINX Controller is a separate and optional product from NGINX, Inc. that manages the NGINX data plane and the entire lifecycle of NGINX Plus under these configurations:

Load Balancer

API Gateway

Proxy in a service mesh environment

This optional and separate NGINX product is fully functional within Azure and provides an additional or exclusive way to manage NGINX without the use of Azure Security Center, Azure Monitor or the Azure Portal or PowerShell.

Azure Security Center with NGINX

Azure Security Center (ASC) is a service that comes in a free tier with limited functionality and a fee-based standard tier with a complete set of security capabilities for organizations that need enhanced functionality. The free tier monitors compute, network, storage, and application resources in Azure. It also provides security policy, security assessment, security recommendations, and the ability to connect with other security partner solutions. The standard tier includes all the capabilities of the free tier for on-prem environments (private cloud) as well as other public clouds such as AWS and Google Cloud Platform (GCP). The standard tier also includes many more security features along with the following critical security controls:

The following aims to give you enough information to decide which best works for you and shows you how using NGINX Plus with Azure Load Balancer can give you a highly available HTTP load balancer with rich Layer 7 functionality.

Azure Resource Manager is the deployment and management service for Azure. It provides a consistent management layer that enables you to create, update, and delete resources in your Azure subscription. You can use its access control, auditing, and tagging features to secure and organize your resources after deployment.

There are no prebuilt ARM templates or PowerShell scripts available from NGINX currently. However, there is nothing preventing the creation of an ARM template and PowerShell script based on your custom deployment requirements for Azure using your custom VM images previously created.

The following provides an example of creating an Ubuntu 16.04 LTS marketplace image from Canonical along with the NGINX web server using the Azure Cloud Shell and the Azure PowerShell module.

The Azure Marketplace is a software repository for pre-built and configured Azure resources from independent software vendors (ISVs). You will find open source and enterprise applications that have been certified and optimized to run on Azure.

NGINX, Inc. provides the latest release of NGINX Plus in the Azure Marketplace as a virtual machine (VM) image. NGINX OSS is not available from NGINX, Inc. but there are several options available from other ISVs in the Azure Marketplace.

Searching for “NGINX” in the Azure Marketplace will produce several results as shown below:

NGINX Open Source Software (OSS) is free while NGINX Plus is a commercial product that offers advanced features and enterprise-level support as licensed software by NGINX, Inc.

NGINX Plus combines the functionality of a high-performance web server, a powerful front-end load balancer and a highly-scalable accelerating cache to create the ideal end-to-end platform for your web applications. NGINX Plus is built on top of NGINX open source.

For organizations currently using NGINX open source, NGINX Plus eliminates the complexity of managing a “do-it-yourself” chain of proxies, load balancers and caching servers in a mission-critical application environment.

Load balancers have evolved considerably since they were introduced in the 1990s as hardware-based servers or appliances. Cloud load balancing, also referred to as Load Balancing as a Service (LBaaS), is an updated alternative to hardware load balancers. Regardless of the implementation of a load balancer, scalability is still the primary goal of load balancing, even though modern load balancers can do so much more.

Optimal load distribution reduces site inaccessibility caused by the failure of a single server while assuring consistent performance for all users. Different routing techniques and algorithms ensure optimal performance in varying load-balancing scenarios.

Modern websites must support concurrent connections from clients requesting text, images, video, or application data, all in a fast and reliable manner, while scaling from hundreds of users to millions of users during peak times. Load balancers are a critical part of this scalability.

Problems Load Balancers Solve

The Solutions Load Balancers Provide

The OSI Model and Load Balancing

Problems Load Balancers Solve

Cloud bursting is a configuration between a private cloud (i.e. on-prem compute environment) and a public cloud that uses a load balancer to redirect overflow traffic from a private cloud that has reached 100% of resource capacity to a public cloud to avoid decreases in performance or an interruption of service.

It happened – an expired SSL certificate broke https security for the website! The Azure Web Job to automatically renew the quarterly LetsEncrypt SSL Certificate did not work (for a number of reasons, one being that an old subscription and deleted unused service principal’s information were still registered in the Application Settings for LetsEncrypt) and the website was now only avaible via http. Yikes!

This series of 9 blog posts are suitable for cloud solution architects and software architects looking to integrate NGINX (pronounced en-juhn-eks) with Azure-managed solutions to improve load balancing, performance, security, and high availability for workloads. Software developers and technical managers will also understand how these technologies in the cloud have a direct impact on application development and application architecture for more cloud-native solutions. Load balancing provides scalability and a higher level of availability by distributing incoming network traffic efficiently across a group of backend servers, also known as a server pool or server cluster.

This series of blog posts provides a meaningful description of load-balancing options available natively from Microsoft Azure and the role NGINX can play in a comprehensive solution.

Even though the examples used are specific to Azure, these load balancing concepts and implementations using NGINX apply equally to other large public cloud providers such as Amazon Web Services (AWS), Google Cloud Platform, Digital Ocean, and IBM Cloud along with their respective cloud platform–native load balancers.

A year ago, we had unsuccessfully tested a number of caching plugins on this Azure hosted WordPress blog. Because of ongoing frustrations with slow page loading speed, we tried installing WP Super Cache again – this time to a resounding YES! IT WORKS! While more work is still needed, the page load speed has dropped from 5.8 sec to 3.0 sec with the basic plugin install.

The caching plugin creates cached php files of website pages

WP Super Cache Setup – Quick and Easy!

Install the plugin > Easy tab > Caching On That’s all that’s needed to get started!

In a recent blog post, we discussed how we discovered that an SSL Certificate that was not accepted by all browsers had been inadvertently installed months ago on a publicly accessible WordPress DEV site hosted on Azure Web Apps. Only while checking on page load performance, was this discovered by an SSL Checker!

These are some of the free online versions of the tools that we use for testing SSL certificates. Its important to use them!!

When it was discovered that a ‘staging’ SSL certificate had been initially added to a website with the issuer set as ‘Fake LE Intermediate X1’, (Read about that here) we replaced the SSL Certificate with one that would be acceptable to all browsers.

In my work with Enterprise clients as an Azure Consultant, I’ve created a few tools to help me communicate efficiently and clearly with team members in various levels of management that need to understand and implement specific Azure concepts.

There is an Index of Azure Policy Samples online of 56 Policies in 9 different categories. At the time of writing this, there are also 73 ‘in-preview’ policies in various categories on the Azure portal, with 192 Azure pre-built policies in 22 categories! See them here at:

We’ve been working at speeding up page loading and general performance of our Azure hosted WordPress websites. Of course, because these are Azure hosted IIS websites, we can’t make changes to the underlying IIS structures, but it is good to know of any vulnerabilities. (An EXCELLENT Security Protocol software that we use on all of our Azure IaaS web servers/browsers is IIS Crypto)

These are some of the free online versions of the tools that we use for measuring performance changes.

We have a static website running from an Azure storage account, using Azure CDN to deliver with a custom domain name and HTTPS. (https://www.alvarnet.com) We need the root custom domain (alvarnet.com) to also be resolvable.

It wasn’t clear in online documentation how to add the root domain to an Azure CDN endpoint, or if it was even possible yet – sub-domains only for CDN endpoints seem to be the standard. In fact, CDN Allow Root Domain for Custom Domains is an Azure ‘feature request’ that has been under review for over a year!

Unsuccessful Trial:

I created a new CDN endpoint but the CNAME of the root domain name wasn’t recognized

Our DNS provider, EasyDNS, allows for CNAME/Alias records of root domains – but mapping the root domain as a Custom hostname to the alvarnet.azureedge.net CDN endpoint still wouldn’t work. The error message when trying to ‘Add a custom domain‘ basically said it didn’t recognize the CNAME mapping between the root domain and the CDN endpoint.

We are in the process of setting up a static custom domain website with SSL being hosted from an Azure storage account.

After getting HTTPS protocol to work, it is necessary to set up HTTP Rules for the CDN endpoint to be able to serve up the proper landing page of the website, plus force redirecting of all http traffic to https.

Previous steps in Setting up a custom domain website being hosted from an Azure storage account:

In order to be able to configure the Azure CDN’s Rules Engine, the Azure CDN Profile must be the Premium Verizon pricing tier. This is the only one of the 4 Azure CDN products that have the Rule Engine feature:

We are in the process of setting up a static custom domain website being hosted from an Azure storage account. While an Azure Storage Account can have a custom domain added to it, it doesn’t support the HTTPS protocol. Using an Azure CDN will allow both a custom domain, work with an SSL certificate giving HTTPS security.

Previous steps in Setting up a custom domain website being hosted from an Azure storage account:

From PowerPoint Diagrams of Azure Concepts & Architecture:
While working with multiple Enterprise teams as an Azure Consultant, I repeatedly use, modify and add to a deck of PowerPoint slides that I customize for communicating Azure concepts to team members in various departments. Some of the slides are combinations of elements and/or concepts from all the Diagram Sources below. Links are provided for original diagrams where possible.Diagram Sources:

We are in the process of setting up a static custom domain website being hosted from an Azure storage account.Previous step in Setting up a custom domain website being hosted from an Azure storage account:

A custom domain for accessing blob data in an Azure storage account can be mapped to either the blob storage endpoint (<your-storage-account-name>.blob.core.windows.net) or the web endpoint (<your-storage-account-name>.zone.web.core.windows.net) that is generated when the static websites feature of the storage account is activated. We are going to setup a custom domain name for the web endpoint of a storage account. The process is the same for the blob storage contents using the blob storage endpoint.

1. In our DNS provider, we setup a new CName record for a custom domain name (demo.alvarnet.com) that points to the Azure storage account’s web endpoint (drsitebackups.z19.web.core.windows.net):

Problem:
This InvalidQueryParameterValue XML error occurred when attempting to connect to 3 different URL’s associated with a static website being hosted by an Azure storage account and Azure CDN.
1. The CDNs Endpoint hostname URL:

We are setting up the hosting of a static website within an Azure Storage Account that will use an Azure CDN to add a custom domain with SSL connectivity to the static website. A CDN endpoint must be created to connect to the Azure Storage Account’s (containing the static website’s assets) primary endpoint URL.

Previous steps in Setting up a custom domain website being hosted from an Azure storage account:

From PowerPoint Diagrams of Azure Concepts & Architecture:
While working with multiple Enterprise teams as an Azure Consultant, I repeatedly use, modify and add to a deck of PowerPoint slides that I customize for communicating Azure concepts to team members in various departments. Some of the slides are combinations of elements and/or concepts from all the Diagram Sources below. Links are provided for original diagrams where possible.Diagram Sources:

We are in the process of setting up a static custom domain website being hosted from an Azure storage account. While an Azure Storage Account can have a custom domain added to it, it doesn’t support the HTTPS protocol. Using an Azure CDN will allow both a custom domain and work with an SSL certificate providing HTTPS security for website users.

Previous steps in Setting up a custom domain website being hosted from an Azure storage account:

“A content delivery network (CDN) is a distributed network of edge servers that can efficiently deliver web content to users. CDNs store cached content on edge servers in point-of-presence (POP) locations that are close to end users, to minimize latency. A CDN profile, belonging to one Azure subscription, can have multiple CDN endpoints.”

We’re using the Azure CDN endpoint we’ll create in the next step, to deliver static website assets stored in an Azure storage account. Because we will need to add HTTP Rules to the endpoint(s) in the CDN profile, we’ve chosen the Verizon Premium pricing tier. The Premium Verizon CDN is the the only one of the 4 Azure CDN products that have the Rule Engine feature:

It is possible to host a small (less than 1 GB) static website with a custom domain name and SSL access, for pennies a month, from Azure Blob Storage and using Azure CDN!

This blog post outlines the first 6 steps for setting up a static website within an Azure GPv2 storage account. SSL and custom domain name are provided via an endpoint to the storage account from Azure CDN. While a custom domain name could be assigned to the new static website at the storage account level, we need to use Azure Content Delivery Network (CDN) to provide the https functionality/security, so the website’s custom domain will be pointed to the CDN endpoint.

Some of the key attributes of the custom HTTPS feature are:

No additional cost: There are no costs for certificate acquisition or renewal and no additional cost for HTTPS traffic. You pay only for GB egress from the CDN.

Simple enablement: One-click provisioning is available from the Azure portal. You can also use REST API or other developer tools to enable the feature.

Complete certificate management is available: All certificate procurement and management is handled for you. Certificates are automatically provisioned and renewed prior to expiration, which removes the risks of service interruption due to a certificate expiring.

From PowerPoint Diagrams of Azure Concepts & Architecture:
While working with multiple Enterprise teams as an Azure Consultant, I repeatedly use, modify and add to a deck of PowerPoint slides that I customize for communicating Azure concepts to team members in various departments. Some of the slides are combinations of elements and/or concepts from all the Diagram Sources below. Links are provided for original diagrams where possible.Diagram Sources:

From PowerPoint Diagrams of Azure Concepts & Architecture:
While working with multiple Enterprise teams as an Azure Consultant, I repeatedly use, modify and add to a deck of PowerPoint slides that I customize for communicating Azure concepts to team members in various departments. Some of the slides are combinations of elements and/or concepts from all the Diagram Sources below. Links are provided for original diagrams where possible.Diagram Sources:

While struggling to get a plugin working on a DEV copy of the blog site, and responding to suggestions from the plugin developer on changes that could be implemented based on the log file error results – we did some fine tuning of the DEV website’s Azure App Service Application Settings. Since the DEV site worked well with the changes (but not the plugin yet – that’s another story to follow!) the changes were done on the PROD website too.

From PowerPoint Diagrams of Azure Concepts & Architecture:
While working with multiple Enterprise teams as an Azure Consultant, I repeatedly use, modify and add to decks of PowerPoint slides that I customize for communicating Azure concepts to team members in various departments. Some of the slides are combinations of elements and/or concepts from all the Diagram Sources below. Links are provided for original diagrams where possible.Diagram Sources:

Being able to move Managed Disks and Images, VMs and Snapshots in Azure across Resource Groups and Subscriptions is a MAJOR organizational improvement and time saver.

To get this new functionality in your Azure subscription, you’ll need to register the feature via PowerShell – be sure to do BOTH registrations – once for the feature, and register again for the Computer RP:

For example, we’ve been able to easily reorganize important but aged snapshots all into one resource group, cleaning up unnecessary Resource Group sprawl and consolidating some vital resources. The snapshots can still be moved across subscriptions and resource groups via PowerShell, but it helps to visually have them all in the same container.

From PowerPoint Diagrams of Azure Concepts & Architecture:
While working with multiple Enterprise teams as an Azure Consultant, I repeatedly use, modify and add to a deck of PowerPoint slides that I customize for communicating Azure concepts to team members in various departments. Some of the slides are combinations of elements and/or concepts from all the Diagram Sources below. Links are provided for original diagrams where possible.Diagram Sources:

From PowerPoint Diagrams of Azure Concepts & Architecture:
While working with multiple Enterprise teams as an Azure Consultant, I repeatedly use, modify and add to decks of PowerPoint slides that I customize for communicating Azure concepts to team members in various departments. Some of the slides are combinations of elements and/or concepts from all the Diagram Sources below. Links are provided for original diagrams where possible.Diagram Sources:

From PowerPoint Diagrams of Azure Concepts & Architecture:
While working with multiple Enterprise teams as an Azure Consultant, I repeatedly use, modify and add to decks of PowerPoint slides that I customize for communicating Azure concepts to team members in various departments. Some of the slides are combinations of elements and/or concepts from all the Diagram Sources below. Links are provided for original diagrams where possible.Diagram Sources:

From PowerPoint Diagrams of Azure Concepts & Architecture:
While working with multiple Enterprise teams as an Azure Consultant, I repeatedly use, modify and add to decks of PowerPoint slides that I customize for communicating Azure concepts to team members in various departments. Some of the slides are combinations of elements and/or concepts from all the Diagram Sources below. Links are provided for original diagrams where possible.Diagram Sources:

An Azure service principal is a security identity used by applications, services, and automation tools to access designated Azure resources. The service principal is a ‘user identity’ (username and password) with an assigned role/permissions in Azure Active Directory (AAD). The service principal should only need to do specific things, unlike a general user identity. In this example, a new Service Principal will be created in AAD and assigned to an Azure Resource Group. Read here for the steps to register a new Service Principal using PowerShell.

Using the Azure Portal

Adding a service principal in the Azure Portal is very straight forward.

An Azure service principal is a security identity used by applications, services, and automation tools to access designated Azure resources. The service principal is a ‘user identity’ (username and password) with an assigned role/permissions in Azure Active Directory (AAD). The service principal should only need to do specific things, unlike a general user identity. In this example, a new Service Principal will be created in AAD and assigned to an Azure Resource Group. Read here for the steps to register a new Service Principal using the Azure ARM Portal

Being able to quickly swap out the OS disk of an Azure VM is a feature that means VMs don’t have to be ‘killed’ and rebuilt when there is a problem or a need for major revisioning of the VM. A backup OS managed disk, or a new OS managed disk, or an ‘earlier’ OS managed disk version can be applied in situ to the provisioned VM. We keep a repository of key versions of OS and Data disk snapshots that can be quickly turned into unattached managed disks when needed for fixing a VM.